Doxing and Defacements: Examining the Islamic State’s Hacking Capabilities
Popular conceptions of ‘hackers’ or ‘cyberterrorists’ evoke images of inexplicably hooded figures, lurking behind laptops and coding unimaginably detrimental software. From the public conscious to political rhetoric, this misconception places a wide array of digitally coordinated terrorist-related activities into a homogenous category, making it difficult to parse the nuances of varying networks and tactics. In the case of the Islamic State, inflated perceptions of the group’s capabilities can sometimes eclipse the reality.
The digital capabilities of the Islamic State, much like the virtual efforts of competing and preceding terrorist groups, are difficult to measure yet consistently elicit a great deal of public concern. In a 2012 article titled “The Cyber Terror Bogeyman,” Peter Singer explained that fear and perceptions of the cyberterrorist threat often blur the realities of terrorist capabilities, at least in part because of elusive conceptions of the term “cyberterrorism.”1 While the Federal Bureau of Investigation offers a relatively specific definition that is predicated on select efforts that result in violence,a other discussions of cyberterrorism tend to “sweep all sorts of nonviolent online mischief into the ‘terror’ bin.”2 This appears to result in the inflation of perceptions of cyberterrorism and the dangers it invites.b
The prolific nature of Islamic State propaganda online, paired with a piqued but murky comprehension of cyber threats by the public, creates an environment where actors with ties to the group are presumed to pose a genuine threat to national security, and possibly critical national infrastructure.3 Unfortunately, this logic “conflates the ability to produce and disseminate targeted propaganda with the ability and intent to carry out destructive cyber attacks.”4 While the flow of terrorist content online and the feasibility of attack planning remain critical problems that require political and legal interventions, each threat-type is distinct and bears different degrees of risk from other methods. Since the sophistication of operations also varies, even among efforts such as hacking, doxing,c defacements, and distributed denial of service attacks (DDoS), it is useful to consider the technical capabilities each method requires, the nature of the target, the likelihood the plan comes to fruition, and the material and perceptual impact of an attack.5
Assessing cyber measures in this manner can help contextualize online threats by highlighting the gap between perception and reality while flagging strategic and operational implications for policymakers and practitioners. The well-publicized 2015 hack of the United States Central Command’s (CENTCOM) social media accounts by actors claiming links to the Islamic State offers one opportunity to leverage this approach. In short, hackers compromised CENTCOM’s Twitter and YouTube accounts, and posted threats, propaganda, and military documents.6 Although this intrusion was jarring, subsequent investigation revealed that no classified information was disseminated, and that “virtually all of the documents posted were publicly available online.”7 Even though the hacking group intended to cast its effort as a large-scale data breach, commentators suggested that compromising CENTCOM’s social media accounts required far less sophistication than hacking into CENTCOM’s computer systems.8 In the end, this event was a nuisance and public relations problem for the U.S. government, military, and law enforcement, but various analyses and a statement from the military narrowly regarded the hack as a case of web defacement and “cyber vandalism.”9
Beyond capability, intention, and impact, the genuine nature of the relationship between online operatives and terrorist groups, and the attribution of attacks, are also elements that require further consideration. Much like terrorist attacks around the world, claims of responsibility for targeted efforts in the virtual arena are not always stated or discernible. In November 2014, the email of a person affiliated with Raqqa is Being Slaughtered Silently (RSS), a Syrian media group critical of the Islamic State, was targeted with social engineering and malware designed to reveal their location.10 After analyzing the attack, researchers at The Citizen Lab assessed that “[Islamic State] can’t be ruled out” as a possible source of the malware, but were ultimately “unable to connect this attack to [Islamic State]” or other supporters of the organization.d To complicate matters more, cyber groups that appear associated with the Islamic State and conduct campaigns that benefit the Islamic State are not necessarily connected to the Islamic State and its leadership.e In February 2017, for example, the Tunisian Fallaga Team conducted a website defacement campaign that targeted the NHS websites in the United Kingdom with graphic photos of the Syrian Civil War; some media reports covering the attack described Fallaga Team as “[Islamic State]-linked.”11 Ultimately, even though Fallaga Team leverages some political imagery linked to the Islamic State in defacement campaigns, it is crucial to remember that is has “not made any official declaration of loyalty” to the Islamic State or online groups that are pro-Islamic State.12 These attacks, among others,f show that affiliation and attribution to Islamic State in the digital sphere is not always clear-cut. In practice, such nuances can dictate the courses of action viable to law enforcement authorities tasked with countering and preventing terrorism and other criminal activities.
To confront this elusive problem, it is vital for policymakers, practitioners, and scholars to tether the issue to genuine appraisals of the threat and disaggregate the capabilities and intentions of the actors involved.13 By counterbalancing speculation about the worst-case cyberterrorism scenarios with concrete examples of the actions jihadi-inspired actors take in cyberspace, this article attempts to shed light on some of the ‘hooded figures’ by examining various uses and implications of hacking and doxing tactics among Islamic State supporters. As noted earlier, the case of Ardit Ferizi, one of the better-known hackers with links to the Islamic State, is an instructive example to discuss the capabilities, methods, and networks of pro-Islamic State hackers.
Ferizi and the August 2015 ‘Kill List’
Beginning in April 2015, Kosovar national and hacker Ardit Ferizi provided support to the Islamic State by transmitting personally identifiable information (PII) of U.S. and Western European citizens to Islamic State members in Raqqa, Syria.14 Ferizi, a computer science student at a Malaysian university, led a group of ethnic Albanian hackers known as “Kosova Hacker’s Security,” which compromised over 20,000 websites throughout Eastern Europe, Israel, and the United States.15 He also managed penvid.com, an online file-sharing service that hosted Islamic State propaganda.16 g
According to U.S. court documents, the first known online interactions between Ferizi and Islamic State members occurred via Twitter in April 2015. Using the handle @Th3Dir3ctorY, Ferizi sent a direct message to @Muslim_Sniper_D, an account operated by Hamayun Tariq, a British Islamic State fighter.17 h In his message, Ferizi explains, “Brother i have 4 million data of kuffar countrys (sic) which attacking islamic state,” and attached screenshots of credit card and account information from over 60 citizens of Western countries.18
Hamayun Tariq directed Ferizi to contact another Islamic State member, Abu Hussain al-Britani, telling Ferizi that “[he] is my friend he told me a lot about u.”19 Abu Hussain al-Britani was the kunya of Junaid Hussain, a notorious British Islamic State member who directed attacks in Western countries through the use of digital communications technologies.20 Prior to traveling to Islamic State-controlled territory in 2013, Hussain, like Ferizi, was a politically motivated hacktivist. Under the pseudonym TriCK, Hussain was part of a hacker’s collective named TeaMp0isoN, which coordinated hacks against select targets, including the U.K. government.21 i After joining the Islamic State, Hussain supported some hacking-related and doxing efforts under the banner of the Islamic State Hacking Division.j In March 2015, for example, Hussain posted a ‘kill list’ comprised of the names and addresses of 100 members of the U.S. military.22
On June 13, 2015, aware of and possibly inspired by the March 2015 Islamic State Hacking Division kill list,k Ferizi illegally obtained “system administrator-level access” to the servers of an Illinois-based company and accessed customer records databases, containing the PII (including phone numbers, email addresses, physical addresses, and passwords) of approximately 100,000 store patrons.23 Refining his search to entries with a .gov or .mil email address, Ferizi compiled a list of 1,351 U.S. government or military personnel.24 The same day, Ferizi contacted Junaid Hussain on Skype and provided him links to lists of .gov and .mil email “dumps” that he pulled from the database. Hussain replied, “Akhi [brother] this will hit them hard … we will make a good message to the kuffar.”25
Two months later (in August 2015), “in the name of the Islamic State Hacking Division,” Hussain tweeted a link to the information Ferizi stole alongside the post: “NEW: U.S. Military and Government HACKED by the Islamic State Hacking Division!”26 The 30-page document contained the PII of the 1,351 U.S. persons with .gov and .mil addresses, preceded by a brief threat from the Hacking Division: “we are in your emails and computer systems … we are extracting confidential data and passing on your personal information to the soldiers of the khilafah, who soon with the permission of Allah will strike at your necks in your own lands!”27
After Ferizi breached the company server in June 2015, an employee of the company contacted the FBI and reported a breach of access by an unknown administrative account bearing the name “KHS,” referring to Ferizi’s hacking outfit Kosova Hacker’s Security.28 After providing the account details to the FBI, the employees and server technicians tried to remove the DUBrute.exe malware, the IP scanner, and the KHS account that Ferizi used to gain top-level access to the server.29 Ferizi responded on August 19, 2015, by regaining access and emailing the company, threatening to release the full 100,000-plus user database if they deleted his files again. He also demanded payment in bitcoin.30 By that time, however, the company had already given the FBI consent to examine all contents of the server, including the IP addresses of those who accessed the server.31
The FBI found that someone using a Malaysian IP address used Structured Query Language injection (SQLi) to access the company’s server illegally. Ferizi logged into a Facebook profile, a Twitter account that he used to communicate with Hamayun Tariq, and the Skype account he used to message Junaid Hussain from that same IP address.32 While authorities prepared for Ferizi’s arrest, U.S. intelligence and military officials targeted and killed Hussain in late August 201533 as Hussain reportedly left an internet cafe in Raqqa.34
Back in Malaysia, Ferizi attempted to digitally clear evidence by reformatting hard drives and deleting files off the two laptops that he used for hacking jobs.35 On September 10, 2015, however, Ferizi used his Facebook accounts to send himself a spreadsheet titled “contact.csv” with 100,001 PII records.36 The FBI obtained a search warrant, accessed that account and file, and determined that it matched the company’s illegally accessed records. The Royal Malaysia Police arrested Ferizi at Kuala Lumpur International Airport on September 15, 2015, as he attempted to leave the country for Kosovo with two laptops.37 After his eventual extradition to the United States, Ferizi pleaded guilty to unauthorized access and material support violations in the Eastern District Court of Virginia.38
Islamic State Doxing and Kill Lists
Ardit Ferizi’s hacking efforts resulted in the publication of one of the best-known ‘kill lists’ released by Islamic State sympathizers, and to date, it remains one of the more sophisticated computer network operations on behalf of the group. Compiling the PII of U.S. persons, publishing the information (doxing), and calling for attacks is an established mode of operations for hacking groups aligning themselves with facets of the Islamic State’s agenda.39 In a 2017 interview in this publication, Lisa Monaco, former assistant to President Barack Obama for Homeland Security and Counterterrorism, discussed the Ferizi case, noting how it demonstrated that the Islamic State can sometimes “outsource” tasks like hacking to criminal actors instead of amassing such capabilities within its ranks.40 It seems, however, that sympathetic hackers range in their level of connection to central Islamic State external operations and media apparatuses, as well as their technical and tactical proficiency in hacking.41 Doxing efforts and the dissemination of kill lists may be attractive to aspiring online operatives because these measures are relatively feasible at the tactical level, even without expert-level hacking skills, and successfully instigate fear.42
The first reported ‘kill list’ distributed by individuals aligned with the Islamic State, which arguably popularized the technique, occurred in March 2015.43 Hussain and the Islamic State Hacking Division accessed information on members of the U.S. military from open-source research, tracking down addresses and emails from social media, accounts on major websites, and other publicly available sources.44 According to an FBI agent who worked on the Ferizi case, the FBI assessed that the PII on the March 2015 kill list “didn’t [come] from any type of [Computer Network Operations] attack, but [Junaid Hussain] was very good at open-source research … he even paid for some services like Lexis-Nexis to get actual home addresses.”45 The Hacking Division’s efforts resulted in the release of approximately 100 names and addresses that Hussain believed to belong to U.S. Air Force personnel at two bases in the Middle East.46 In conversations with Ferizi, Hussain claimed that the March 2015 effort was the inspiration for future efforts, including the August 2015 hitlist: “we will only release mil and gov … like u know the hitlist i made with addresses … we will make message to the kuffar and release the .mil and .gov.”47
Since March 2015 especially, other hacking collectives claiming affiliation to or supporting the Islamic State attempted to dox targets and publish kill lists. According to one study, Islamic State sympathizers released at least 19 separate kill lists, including the PII of European and American citizens, between March 2015 and June 2016.48 The majority were released by three separate groups: the Islamic State Hacking Division (ISHD), the Caliphate Cyber Army (CCA), and the United Cyber Caliphate (UCC).49 Broadly speaking, these targeted civilians, government employees, members of the military, and law enforcement.50 Evidence suggests that they varied in originality and authenticity, as further analyses discovered that some lists repackaged information from existing public sources.51 While threatening, such efforts do not require advanced cyber capabilities: “the publication of these lists only demonstrates an understanding of how to collate information and release it in such a way as to create the impressions of power.”52 Extending beyond the capabilities of these pro-Islamic State cyber groups, it is interesting to highlight the observation “that few groups appear to have explicitly expressed intent to target critical national infrastructure using cyberattacks.”53
The response to the release of kill lists of U.S. persons by Islamic State-affiliated hackers understandably evokes a great deal of concern from policymakers, practitioners, the public, and of course, the individuals on the lists.54 However, it is important to differentiate low- and medium-sophistication efforts (ranging from doxing attempts from open-source information to compromising government social media accounts and breaching the servers of private companies) from those that require drastically more resources and skills, like computer network operations targeting critical infrastructure or other large-scale cyber-enabled attacks. By recognizing the likelihood of certain attack types, and reducing the impact of low-level efforts, the counterterrorism community can proportionally respond to groups’ demonstrated abilities rather than hypothetical ones.55
Anecdotally, discerning the actual impact of these releases on attack plots in the United States is difficult. Cases involving reports of an American Islamic State sympathizer who, using the PII of individuals available on known kill lists, attempted to locate and attack them are problematic, but not especially common.56 In September 2015, for example, the now-convicted Virginia resident Haris Qamar told a confidential witness that the addresses of individuals named on one kill list were located near his home.57 Qamar told the confidential witness that he noticed undercover police cars near those residences, and based on those comments, authorities working on the case believed that “Qamar likely drove past those residences after their occupants were included on the ‘kill list.’”58 Authorities arrested Qamar in 2016, and he pleaded guilty later that year to attempting to provide material support to the Islamic State.59 Meanwhile in 2016, Maryland resident Nelash Mohamed Das was accused of plotting attacks against U.S. military personnel.60 Before receiving a fake target from an FBI confidential human source, he allegedly accessed one of the 2015 United Cyber Caliphate kill lists and selected an individual that lived nearby.61 Ultimately, the FBI arrested Das before he allegedly had the chance to carry out his plot, and a federal grand jury charged him with attempting to provide material support to the Islamic State.62 Das pleaded not guilty, and at the time of writing, his case is still pending.63
More U.S. prosecutions involve individuals who rebroadcast kill lists on social media rather than carrying out their instructions themselves. Between May and August 2015, the subsequently convicted Buffalo, Missouri, resident Safya Yassin posted the PII of several individual targets inside the United States alongside direct threats, culminating in her retweeting of the August 2015 Ferizi-Hussain list.64 In a similar case, Ohio resident Terrence McNeil solicited the murder of U.S. military personnel by reposting the March 2015 list of 100 servicemembers onto a Tumblr page he operated, alongside a direct call to murder the individuals on the list.65 Later that year, McNeil posted additional kill lists online and reiterated calls for the targeting of U.S. service members. He was subsequently convicted.66
Finally, authorities arrested Kentucky resident Marie Castelli after she distributed a five-page document containing PII onto a pro-Islamic State Facebook group in October 2015.67 Interestingly, there is evidence indicating that Junaid Hussain’s widow Sally Jones played a role in collating this document and disseminating it online, demonstrating that doxing efforts continued after Hussain’s death.68 Castelli pleaded guilty to communicating threats in interstate commerce in late 2017.69
Looking beyond their immediate results, doxings and kill lists represent a method for Islamic State sympathizers with limited cyber proficiencies, resources, technical capabilities, and direction to make an outsized impact. Sympathizers that merely repost this information require even fewer skills and resources. To date, very few of these attempts required the groups behind them to conduct advanced computer network operations; Islamic State-affiliated hacking groups instead used information that is largely available to the public to garner the information for lists. Whether Islamic State sympathizers will attempt to continue doxing operations into the future remains unclear, but it is likely that those with interest in online operations will gravitate toward efforts that create, from their point of view, a similarly high return on relatively low investment.
Other Hacking Efforts by American Jihadi Sympathizers
To further contextualize Ferizi’s acts of cyberterrorism within other manifestations of hacking-related and terrorism-oriented cases in the United States and abroad, it is productive to look to other individuals who used hacking techniques to advance their causes, with varying degrees of success.
In some instances, individuals might conduct lower-level hacks into social media accounts to achieve operational security70 with the goal of promoting pro-Islamic State materials and tactical information clandestinely. Waheba Dais, a Wisconsin woman who recently pleaded guilty to attempting to provide material support to the Islamic State, hacked into several “private social media platforms,” namely Facebook accounts, to communicate with others and share propaganda.71 l There is evidence that Dais and individuals in her network adopted this method to communicate with each other while avoiding detection by law enforcement.72 Although Dais engaged in other problematic behaviors online, including facilitating access to poison and bomb-making instructions and assisting in attack planning, the intent of her hacking efforts differs from some of the other cases discussed in this article.73 Here, hacking individual social media accounts served as a means to achieve operational security, and subsequently promote the objectives of a group. While undoubtedly troublesome, such efforts are less sophisticated and impactful than illegally accessing a company server to steal information and publish a kill list.
By way of contrast, the ongoing case of Chicago resident Ashraf Al Safoo and his pro-Islamic State online media network shows that some sympathizers may hack accounts to optimize their influence online and counteract the effects of account suspensions and removals by social media providers.m Al Safoo, who authorities charged with conspiracy to provide material support in October 2018, allegedly worked with a range of online co-conspirators to produce, coordinate, and disseminate propaganda across multiple social media platforms.74 Since such activities required regular access to active accounts, Al Safoo and other members of the Khattab Media Foundation purportedly “took steps to acquire access to as many accounts as possible” for sympathizers in their cohort.75 n These efforts included creating “account ‘banks’” and “hacking the accounts of legitimate social media users.”76 In a group chat, one contributor articulated their preference for hacked accounts, arguing that they stayed open longer than new accounts.77 Although Al Safoo and his contacts regularly emphasized the importance of operational security in their online activities, court filings indicated that the rationale behind hacking into accounts on various social media platforms appears motivated by the desire to broadcast their messages as opposed to masking their identities.78
As an entirely different illustration of how jihadi-inspired individuals may use hacking-related techniques to advance their causes, it is useful to discuss the American John Georgelas’ ventures prior to traveling to Syria and joining the Islamic State.79 While his current whereabouts are unknown, as a teenager, Georgelas joined a hacktivist group called “Global Hell,” which gained notoriety for some high-profile online intrusions that resulted in the prosecution of several of its members.80 Evidence from a formal investigation revealed that Georgelas expressed support for al-Qa`ida in private communications with a Canadian woman, and “provided technical support to a pro-jihad website, jihadunspun.com,” which served as “a propaganda vehicle to promote Osama Bin Laden and Al Qaeda.”81 As a young professional, Georgelas worked as a Datacenter Operations Technician at Rackspace, a server company with facilities in Texas. In 2006, during his time with the company, he gained unauthorized access to another computer server to identify the login credentials for the American Israel Public Affairs Committee (AIPAC.org), a client of Rackspace.82 Georgelas later admitted to investigating authorities that “he acted knowingly and intentionally exceeded his authorized access” and “intended to cause damage to the AIPAC.org website.”83 Seemingly compelled by ideological reasons, Georgelas’ aspirations for vandalizing the AIPAC site never came to fruition. Even so, Rackspace incurred more than $44,000 in damages as a result of Georgelas’ actions.84
Conclusion
Despite attracting a great deal of attention, particularly from mass media, experts largely agree that the Islamic State and the range of cyber actors and hackers that claim affiliation to the organization do not exhibit especially advanced cyberterrorism capabilities.85 In a 2017 interview, for example, Lora Shiao, then the National Counterterrorism Center’s acting director for intelligence, explained that the Islamic State “has minimal hacking skills.”86 Shiao elaborated, noting that members “are able to deface websites” and publish “‘hit lists’ of personally identifiable information on westerners, but this is primarily for intimidation.”87
In truth, while most pro-Islamic State hacking, doxing, and defacements efforts lack sophistication, these methods can effectively intimidate the public, cause reputational damage, and ignite fears about the threats posed by terrorism and cyberterrorism. Even if individual attacks have limited effects, the sum of events and the lack of clarity regarding attribution to the Islamic State inflates perceptions of cyber actors’ intent and technical aptitude. In recent years, “the omnipresence and professionalization of internet use by [Islamic State supporters] have led to a conflation of their presence online with a capability to undertake cyberattacks.”88 While matters concerning propaganda or terrorists’ use of technology for attack planning are undoubtedly serious, the Islamic State’s proficiency in strategic communications is not a good indicator of the organization’s ability to conduct offensive cyber operations. Moreover, the use of tactics like hacking, doxing, and defacements by pro-Islamic State actors does not suggest that the Islamic State or its online supporters are interested in, much less capable of full-fledged cyberattacks targeting critical national infrastructure.
To date, these tactics remain relevant to those tasked with countering terrorism in the virtual arena. In March 2019, the FBI arrested Kim Anh Vo, a resident of Georgia and a reported member of the UCC-affiliated hacking collective called “Kalachnikv E-Security Team.”89 Vo, whose case is pending, claimed to the FBI during an interview that she worked primarily as a recruiter for the UCC, but also helped translate the group’s media releases and deface websites.90 In April 2017, Vo allegedly coordinated the publication of a kill list with UCC members in several countries, including Norway, the Netherlands, and Iraq. UCC hacktivists collected the PII of over 8,000 individuals during a website intrusion into a U.S.-based business.91 Using a Telegram group to facilitate communications between the UCC members and distribute the list, the UCC published it alongside a YouTube video, which threatened the individuals identified in the list.92
Although it is difficult to quantify the impact of Vo’s contribution, the continued use of these methods, from virtual vandalism to doxing, suggests that they remain favorable tactics among cyber groups today. In subsequent evaluations of the threats posed by cyberterrorism and terrorists online, it is vital to remain rooted in how terrorist organizations and individuals leverage various technologies and the internet.93 Since the complexity of operations vary, even among efforts such as hacking, doxing, and defacements, the counterterrorism practitioners responding to these threats must work to discern the technical capabilities each attack type requires, the nature of the target, the likelihood attacks come to fruition, and the material and perceptual impact of an attack. While it is useful to stay vigilant and prepared to cope with the worst-case scenarios, focusing on terrorists’ use of the internet, along with other criminal enterprises, can help prepare for the most likely scenarios.94 Even though the Islamic State does not demonstrate extensive offensive cyber capabilities, operational security and more defensive measures to remain online are priorities for the organization and its supporters.